Security update for tomcat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1673-1 Final 1 1 2019-06-30T19:03:50Z current 2019-06-30T19:03:50Z 2019-06-30T19:03:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat to version 9.0.20 fixes the following issues: Security issues fixed: - CVE-2019-0199: Fixed a denial of service in the HTTP/2 implementation related to streams with excessive numbers of SETTINGS frames (bsc#1131055). - CVE-2019-0221: Fixed a cross site scripting vulnerability with the SSI printenv command (bsc#1136085). Non-security issues fixed: - Increase maximum number of threads and open files for tomcat (bsc#1111966). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1673 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV/#36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV E-Mail link for openSUSE-SU-2019:1673-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1111966 SUSE Bug 1111966 https://bugzilla.suse.com/1131055 SUSE Bug 1131055 https://bugzilla.suse.com/1136085 SUSE Bug 1136085 https://www.suse.com/security/cve/CVE-2019-0199/ SUSE CVE CVE-2019-0199 page https://www.suse.com/security/cve/CVE-2019-0221/ SUSE CVE CVE-2019-0221 page openSUSE Leap 15.0 tomcat-9.0.20-lp150.2.19.1 tomcat-admin-webapps-9.0.20-lp150.2.19.1 tomcat-docs-webapp-9.0.20-lp150.2.19.1 tomcat-el-3_0-api-9.0.20-lp150.2.19.1 tomcat-embed-9.0.20-lp150.2.19.1 tomcat-javadoc-9.0.20-lp150.2.19.1 tomcat-jsp-2_3-api-9.0.20-lp150.2.19.1 tomcat-jsvc-9.0.20-lp150.2.19.1 tomcat-lib-9.0.20-lp150.2.19.1 tomcat-servlet-4_0-api-9.0.20-lp150.2.19.1 tomcat-webapps-9.0.20-lp150.2.19.1 tomcat-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-admin-webapps-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-docs-webapp-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-el-3_0-api-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-embed-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-javadoc-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-jsp-2_3-api-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-jsvc-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-lib-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-servlet-4_0-api-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 tomcat-webapps-9.0.20-lp150.2.19.1 as a component of openSUSE Leap 15.0 The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. CVE-2019-0199 openSUSE Leap 15.0:tomcat-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-admin-webapps-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-docs-webapp-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-el-3_0-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-embed-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-javadoc-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-jsp-2_3-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-jsvc-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-lib-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-servlet-4_0-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-webapps-9.0.20-lp150.2.19.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV/#36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV https://www.suse.com/security/cve/CVE-2019-0199.html CVE-2019-0199 https://bugzilla.suse.com/1131055 SUSE Bug 1131055 https://bugzilla.suse.com/1139924 SUSE Bug 1139924 The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. CVE-2019-0221 openSUSE Leap 15.0:tomcat-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-admin-webapps-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-docs-webapp-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-el-3_0-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-embed-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-javadoc-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-jsp-2_3-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-jsvc-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-lib-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-servlet-4_0-api-9.0.20-lp150.2.19.1 openSUSE Leap 15.0:tomcat-webapps-9.0.20-lp150.2.19.1 low 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV/#36H2KGFI64Y7Z3YTFXWV2YQODHAXC6AV https://www.suse.com/security/cve/CVE-2019-0221.html CVE-2019-0221 https://bugzilla.suse.com/1136085 SUSE Bug 1136085